Taming the GDPR’s Monster with Your CMS

How you can be on the way to a well-managed and compliant Collections Management System in just a few steps

It seems like everyone is talking about the new EU General Data Protection Regulations (GDPR) these days—mainly, how much work is involved and how big the fines for non-compliance are!

In some ways, the GDPR is like the mad scientist in a black-and-white horror movie who has taken something previously innocuous—like your data—and turned it into a monster. In those movies, though, it often happens that the ‘monster’ is not evil at all, just misunderstood. That is just what’s happening here: if properly tamed to comply with GDPR regulations, your data can be a great asset to your organisation (that’s why you have it, right?)

There is no better tool for taming your data than the CMS you’ve been keeping it in all along. The M in CMS doesn’t stand for Monster, it stands for Management, and with just a few steps you can be on your way to a well-managed and compliant system.

Keep Your Data Clean

The GDPR aims to give individuals more control over data about them, and it does that by allowing them to request all the personal data about them you hold. If anything is incorrect, they can request that you correct it. If you don’t have a good reason to hold data about a person, you should delete it.

If a person’s data is stored in half a hundred fields and a dozen different ways are used to write that person’s name (surname-comma-forename, title-surname, initials, nickname, etc.), good luck getting all of it! You could be at the job for hours and never be entirely certain you found everything.

It doesn’t have to be a big job, though. Think of how easy this task would be if you only had to search one field for one name format. We’re big on clean data at Axiell and have put together a series of articles on how to create and maintain it. And once you’ve found the data, your system has many inbuilt tools to create reports on, modify, or delete the data.

Often the biggest challenges with cleaning data are getting the time and convincing those higher up that it’s worth it. But here you may find just using the magic words ‘General Data Protection Regulations’ will show them how important the task is.

Centralise Personal Information

As I’m sure you’ve noticed, there are a lot of places you can put data in a CMS. Locating data about a person could involve a trawl through every one of these fields, but it doesn’t have to. Keeping your data clean can help reduce the work involved, but the very structure of your system can make this task a snap.

Axiell CMSs are designed to help you centralise personal information. All our systems have a separate section meant to hold information about people. Whether it is called a database, a module, or an authority, what’s important is that it stores records for people mentioned elsewhere in the system—neatly pulling together that person’s information in a single location.

If you use this section as it is intended (for example, by putting a donor’s contact information here rather than in a note about the acquisition of an object), finding all the information about a person becomes easy. Just pull up the record for that person and check to see what it’s linked to. And if it’s easier to find the data you want, it’s easier to do any other task with it that the GDPR might require.

Lock It Down

If you got up for a coffee right now, could anyone get into your computer—or your CMS? Are there any computers in a publicly-accessible research room that have access to your CMS? Do you give volunteers access to your CMS? In all these circumstances, what could someone access in your CMS?

A big priority of the GDPR is ensuring that personal data is only accessible to people who have an appropriate reason to access it. Security and access control settings are your friends here. You can set up security to ensure that users must log in to gain access to the CMS. You can also fine-tune permissions so that allowing volunteers to catalogue objects, for example, doesn’t mean they see the names or contact details of borrowers.

Even if you aren’t responsible for setting up and modifying security on a system, you can do your part by ensuring that you use a strong password and don’t leave the system logged in if you are away from it.

Think Twice About Copies

Okay, so you’ve got your CMS locked down so that only people who need access to personal data can see it. Everything is tidy, so as soon as you need to retrieve or delete information, you can find it. But what about that spreadsheet of last month’s acquisitions that you exported to your desktop, tidied up, and then emailed? Was there any information about donors in it? Any personal information?

Personal data doesn’t stop being personal data just because it’s outside your CMS. This goes for reports you make, backups of your CMS data, paper originals of loan agreements—any copies of data stored in the CMS.

I’m not saying you should get rid of all those copies. Often you have a good reason to hold them. Just think twice before making them: would that list of last month’s acquisitions work just as well without data about donors? Can you find the copy if you need to? And what processes are in place to be sure only the right people can see the copy?

Getting Compliant

If you want help implementing any of this in your Axiell CMS, we’ve designed a new course called Getting Compliant which covers all the functions in your software that can be useful in dealing with the GDPR. To book onto this or any of our other courses, visit our training page.